In this blog I will explain how to create a IKEv2 VPN connection with a Watchguard firewall. We are going to publish the VPN settings with Intune to our Win10 devices.
Reading-time: 4 minutes
Let’s start with creating the VPN policy in the Watchguard firewall. I’m using the web interface in this blog, but you can use the configuration editor as well.
Create Mobile VPN with IKEv2
- Login with the admin credentials into your Watchguard firewall (https://yourip:yourportnumber)
- Open the VPN menu and click on Mobile VPN with IKEv2
- Click on Run Wizard.
- Click next and enter your public IP address
- Click Next and select which authentication server you want to use. For know we are using the Firebox-DB but you can also use your RADIUS server.
- Click Next and create a new user. Choose a name and password.
- Click next and specify the virtual IP pool. Be sure this is a pool that’s not in use!
- Click Next and Finish
- We also need to setup a NAT policy because i want to enable internet access trough the VPN.
- Select the Network menu and click on NAT
- We are going to add a new Dynamic NAT, so click on Add
- From the IP pool range you have chosen in the VPN policy
- To any-external interface and save this.
Ok, so now we have the configuration we want to test it before we are going to use Intune. Download the config profile under the VPN menu > Mobile VPN with IKEv2 with the Download button and extract the TGZ file.
In this file directory you find different folders for different OS. Select Windows 8 and run the .bat file. This bat file will install the correct certificate and create the VPN profile.
When the script is finished you can test the VPN settings by clicking on your network icon on the right corner next to the clock and select the WG IKeV2 profile and connect. If everything went well it will connect successfully. You can browse to whatismy.com to check if this IP matches the IP from you company.
You can only test from outside your organisation off course!
Great, now we are going to use Intune to deploy this settings.
Publish with Intune
- Login into the Azure portal with your admin credentials
- Open Intune
- First we are going to create a new Device Configuration for a Windows 10 device and the VPN profile type
- Don’t forget to give this policy a name and description
- Open the Base VPN settings.
- Connection Name: you can choose what ever you want. Your users are going to see this name.
- At the server IP address you need to enter your public WAN VPN IP
- Give this a description, just like : Watchguard location X
- Change the default server Boolean to True.
- Add this server
- Choose at the connection type IKEv2
- Always On we choose NO, because we want to prevent users always connection to this VPN
- Remember credentials we choose Yes
- We dont want to select a certificate. We will deploy this at a later time
- EAP XML: this is a little difficult, please enter just some letter so we can save it. We will add this later.
We need to get that XML. This can be exported by a powershell commando. For that, we need to connect with our VPN. So please connect again.
Open a powershell Window and run the followed command:
$Vpn = Get-VpnConnection -Name [Test VPN connection name]
$Xml = $Vpn.EapConfigXmlStream.InnerXml | Out-File .\eapconfig.xml -Encoding ASCII
Change the text test VPN connection name to your connection name.
Open the XML file (it stored at your default location) and copy all of it. Paste this in the EAP XML field and save the policy again.
Cool! We have created the policy. We can assign this to a group to publish the VPN. But .. this is not going to work without the correct certificate. It will properly work on your test system, because the .bat file we run earlier installed the correct certificate already. We can delete this so we can test it from a fresh install. (you can delete it with MMC > certificates > Fireware IKE)
Publish the correct certificate
- I assume we are still in the Intune portal
- Create a new configuration policy for Windows 8.1 and later with a profile type Trusted Certificate
- We can upload a certificate, so browse to the downloaded TGZ file and select the correct root certificate.
- The destination store is Computer certificate store – Root
- Save this policy and assign it to the same group of users.
Wait for a couple minutes.. refresh your MMC snappin and hey, there is the certificate again. Try to connect with the VPN and if everything goes well you have a connection.